Created
March 3, 2017 15:44
-
-
Save andromedarabbit/4bcd790f2eca7bca6ddf54c7b49e5f35 to your computer and use it in GitHub Desktop.
ElastAlert rule example
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Alert when the rate of events exceeds a threshold | |
| # (Required) | |
| # Rule name, must be unique | |
| name: OutOfMemoryError | |
| # (Required) | |
| # Type of alert. | |
| # the frequency rule type alerts when num_events events occur with timeframe time | |
| type: frequency | |
| # (Required) | |
| # Index to search, wildcard supported | |
| index: logstash-%Y.%m.%d* | |
| use_strftime_index: true | |
| # (Required, frequency specific) | |
| # Alert when this many documents matching the query occur within a timeframe | |
| num_events: 1 | |
| # (Required, frequency specific) | |
| # num_events must occur within this amount of time to trigger an alert | |
| timeframe: | |
| hours: 1 | |
| # (Required) | |
| # A list of Elasticsearch filters used for find events | |
| # These filters are joined with AND and nested in a filtered query | |
| # For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html | |
| filter: | |
| - query_string: | |
| query: "message: OutOfMemoryError OR log: OutOfMemoryError" | |
| # (Required) | |
| # The alert is use when a match is found | |
| alert: | |
| - "slack" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
how can i set rule when a particular string is not present in logs.
LIke i want to get alert when a string "12345678" is not in logs.